August 2, 2016

On 12 July 2016, the European Commission adopted the EU-US Privacy Shield adequacy decision.  The Working Party says that it welcomes the improvements brought by the Privacy Shield mechanism compared to the Safe Harbour decision.

In its Opinion on the draft EU-US Privacy Shield adequacy decision, the Working Party expressed concerns and asked for various clarifications.  The Working Party says that it “commends the Commission and the U.S. authorities for having taken them into consideration in the final version of the Privacy Shield documents”.  However, it says, “a number of these concerns remain regarding both the commercial aspects and the access by U.S. public authorities to data transferred from the EU”.

In terms of the commercial aspects, the Working Party says that it “regrets the lack of specific rules on automated decisions and of a general right to object”.  It also remains “unclear how the Privacy Shield Principles apply to processors”.

As for access by public authorities to data transferred to the US under the Privacy Shield, the Working Party says that it would have expected “stricter guarantees concerning the independence and the powers of the Ombudsperson mechanism”.

In terms of the bulk collection of personal data, the Working Party notes the commitment of the Office of the US Director National Intelligence not to conduct mass and indiscriminate collection of personal data.  Nevertheless, it “regrets the lack of concrete assurances that such practice does not take place”.

The first joint annual review will therefore be “a key moment for the robustness and efficiency of the Privacy Shield mechanism to be further assessed”, the Working Party says.  The competence of DPAs in the course of the joint review should be clearly defined, it says.  In particular, all members of the joint review team should have the opportunity to directly access all the information necessary for the performance of their review, including “elements allowing a proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities”.  When participating in the review, the national representatives of the Working Party will not only assess if the remaining issues have been resolved, but will also look at whether the safeguards set out in the Privacy Shield are “workable and effective”.  The results of the first joint review regarding access by the US public authorities to data transferred under the Privacy Shield may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses, the Working Party says.

In the meantime, the Working Party members will “commit themselves to proactively and independently assist the data subjects with exercising their rights under the Privacy Shield mechanism, in particular when dealing with complaints”.  The Working Party will be providing information for data controllers on their obligations under the Privacy Shield, commenting on the guidance for citizens, making suggestions on the composition of the EU centralised body and commenting on the organisation of the joint review.  To read the Working Party’s Statement in full, click here.